Scroll Subnavigation

Security Addendum

GREENHOUSE SOFTWARE, INC.

Last Updated: February 1, 2026

This Security Addendum (“Security Addendum”) supplements the MSA, available at MSA, and is hereby incorporated by reference into the Agreement between Greenhouse and Customer. This Security Addendum governs the duties and responsibilities with respect to the protection of Personal Data transferred by Customer to Greenhouse. Capitalized terms used but not otherwise defined in this Security Addendum shall have the meanings set forth in the Agreement. In the event of any conflict between this Security Addendum and the MSA, this Security Addendum shall control to the extent of the conflict with respect to the subject matter herein.

Greenhouse agrees that it shall comply with the following requirements regarding Personal Data collected, used, or processed on behalf of Customer pursuant to the terms of the MSA.

Greenhouse has implemented and shall maintain a written information security management policy with standards that are no less rigorous than accepted industry practices, shall comply with all applicable laws to protect Customer’s Personal Data from loss or unauthorized access, destruction, use, modification, disclosure or other processing, and shall comply with the provisions of this Addendum. Consistent with this policy, Greenhouse has implemented physical, technical, and administrative information safeguards that adequately provide for:  (a) protection of business facilities, paper files, servers, computing equipment, including all mobile devices and other equipment with information storage capability, and backup systems containing Customer’s Personal Data; (b) network, application (including databases), and platform security; (c) business systems designed to optimize security; (d) secure, encrypted transmission and secure, encrypted storage of Personal Data; (e) authentication and access control mechanisms; and (f) security for personnel who have access to Personal Data, including recent strong background checks on all such personnel to the extent permitted by law, use of unique, robust passwords, and annual training on how to comply with Greenhouse’s physical, technical, and administrative information security safeguards.  

Greenhouse shall regularly test and monitor the effectiveness of its security practices and procedures relating to Personal Data, and will evaluate and adjust its information security program in light of the results of the testing and monitoring, any relevant changes to its operations or business arrangements, or any other circumstances that Greenhouse knows or reasonably should know may have a material effect on the effectiveness of its information security program.

Without limiting the foregoing, Greenhouse has implemented the following security controls:

1. Admittance Control (physical):

- Greenhouse will prevent unauthorized persons from gaining access to the systems used to process Personal Data.

- Greenhouse will protect offices in which Personal Data is processed against access by unauthorized persons.

- Greenhouse’s data center provider maintains the following physical security controls:

  • key card access and biometric scanners on all doors and elevators
  • perimeter and interior video cameras
  • 24/7/365 security guard monitoring
  • restricted, logged access to cages containing servers and network equipment

 

2. Entry Control (systems):

  • Greenhouse will prevent data processing systems from being used without authorization.
  • Greenhouse will only grant its personnel and its permitted subprocessors access to applications that process Personal Data to the extent they require it to fulfill their function. 
  • Greenhouse will ensure that the entry control is supported by an authentication system that includes regular, iterated grant checks.
  • Greenhouse shall conduct appropriate systems hardening, including appropriate intrusion detection and network-level isolation.

 

3. Access Control (data):

  • Greenhouse will ensure that Customer personnel who are entitled to use a data processing system have access only to the data to which they have a right of access (including in QA, staging and live systems), and that Personal Data cannot be read, copied, modified or removed without authorization in the course of processing or after storage.
  • Greenhouse will enforce password complexity rules and multifactor authentication and other brute force protection methods on its personnel’s accounts on appropriate systems.
  • Greenhouse will grant authorization to access Personal Data only to personnel who need the access to perform their functions. Additionally, Greenhouse will only grant the personnel the level of access (e.g., roles) required by such personnel to perform their respective functions. Greenhouse will ensure that only authorized personnel can access the Personal Data.
  • Greenhouse also shall provide user management features to Customer. For example, Customer’s Greenhouse account owner shall be able to assign different roles and permissions to account users.

 

4. Transfer Control:

  • Greenhouse will ensure that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish which parties receive the transferred Personal Data.
  • Greenhouse will encrypt all Personal Data stored on logical or physical systems.
  • Greenhouse will encrypt data while transferred through external networks, including between Greenhouse data centers. For example, all data transfers between an end user and the Greenhouse platform that the user has logged into are encrypted.

 

5. Input Control:

  • Greenhouse will ensure that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed. 
  • Greenhouse may permit only authorized personnel to modify any Personal Data within the scope of their function. 
  • This will be achieved by means of logging of system access events, console events, and user-issued commands.

 

6. Job Control:

  • Greenhouse will carry out the services, and, in particular, the data processing services, for Customer only in accordance with Customer’s instructions.

 

7. Availability Control:

- Greenhouse will protect Personal Data against accidental destruction or loss.

- Greenhouse has implemented measures that enable it to resume the services within a commercially reasonable timeframe if there is a breakdown of the services.

- Safeguards must include:

  • Redundant data center
  • Regular backups
  • Disaster recovery testing at least annually

 

8. Data Segregation:

  • Greenhouse will ensure that data from different customers’ environments is logically segregated on Greenhouse’s systems, by making sure Personal Data collected for different purposes can be processed separately. 

 

9. Security Incident Protection:

  • A “Security Incident” is any reasonably suspected or actual loss of or unauthorized processing of Personal Data.
  • Unless prohibited by law, Greenhouse will promptly (but in no event later than 72 hours after discovery) notify Customer of any Security Incident. Such disclosure shall describe the incident, the suspected effect on Customer, Personal Data involved and affected individuals, Greenhouse’s actual and anticipated corrective action to respond to the incident, and (if possible) the outcome of the incident. 
  • Greenhouse also shall take commercially reasonable steps to investigate, remedy and mitigate the harm caused by the Security Incident at Greenhouse’s expense. In addition, upon Customer’s reasonable request following a confirmed Security Incident affecting Customer’s Personal Data, Greenhouse shall permit an independent qualified third party auditor selected by Customer and reasonably acceptable to Greenhouse to perform an investigation (including the installation of monitoring or diagnostic software or equipment, subject to Greenhouse’s prior written approval, which shall not be unreasonably withheld) to locate the source and scope of the breach and provide Customer with any material information related to Customer or Customer’s Personal Data that such independent auditor discovers with respect to the incident. Any such audit shall: (i) be conducted upon reasonable advance written notice of no less than ten (10) business days; (ii) be limited in scope to the Security Incident affecting Customer; (iii) be conducted in a manner that does not unreasonably disrupt Greenhouse’s operations or compromise the security or confidentiality of other customers’ data; and (iv) require the auditor to execute a confidentiality agreement with Greenhouse on terms reasonably acceptable to Greenhouse prior to commencing the investigation. Customer shall bear the costs of any such third-party audit. Notwithstanding the foregoing, Greenhouse expressly disclaims liability for Security Incidents that arise from Customer’s breach of its obligations as set forth in the Agreement.

Learn more about Greenhouse

Our company